I figured it out, if MFA Provider Ranks are specified, OR if there is Groovy script that serves as MFA Provider Trigger, MFA-provider-selection is No longer available. That is OK, what I did is 1) Not to specify MFA provider ranking 2) Not using Groovy for triggers, instead, on each MFA provider, use Groovy bypass script, MFA is skipped if user does Not support the given provider. This is now working correctly for the initial login, i.e., user is presented with the MFA providers that he has configured earlier.
I assume my understanding is correct? that is, Triggers and Provider Selection cannot co-exist, only one can be specified? On Wednesday, January 14, 2026 at 5:34:28 PM UTC-5 Ray Bon wrote: > Could you display a list on a page and have the user select one? > > Ray > ------------------------------ > *From:* [email protected] <[email protected]> on behalf of Yan Zhou < > [email protected]> > *Sent:* January 14, 2026 12:30 > *To:* CAS Community <[email protected]> > *Subject:* [cas-user] how to implement: move to next MFA provider? > > Hello, > > CAS 7.3.1 overlay. At user level, there are principal attribute indicate > the MFA options user prefers, for instance, ["mfa-simple", "mfa-gauth"], > this user can do both simpl-mfa and Google Authenticator. > > During MFA login, I wish to implement this: if one MFA provider fails, > move to the next MFA Provider that the user supports. For instance, > "simple-mfa" fails because user is Unable to get OTP via SMS or Email, he > can click "Next MFA provider" and move to "mfa-gauth". > > Looking at CasSimpleMultifactorWebflowConfigurer, I do No t know how to > tell CAS webflow that mfa-simple has failed and move to the next MFA > Provider. > > I am using Groovy to determine which MFA provider to activate for the user: > > cas.authn.mfa.triggers.principal.global-principal-attribute-predicate.location > =classpath:mfaProviderPredicate.groovy > > thx, > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/11311671-b5fa-4d50-896c-fba69eae7fe8n%40apereo.org > > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/11311671-b5fa-4d50-896c-fba69eae7fe8n%40apereo.org?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/69233fda-d332-4915-a5ee-cff6ebbb191an%40apereo.org.
